The quest to replace passwords: A framework for comparative evaluation of web authentication schemes

Joseph Bonneau, Cormac Herley, Paul C. Van Oorschot, Frank Stajano

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

We evaluate two decades of proposals to replace text passwords for general-purpose user authentication on the web using a broad set of twenty-five usability, deployability and security benefits that an ideal scheme might provide. The scope of proposals we survey is also extensive, including password management software, federated login protocols, graphical password schemes, cognitive authentication schemes, one-time passwords, hardware tokens, phone-aided schemes and biometrics. Our comprehensive approach leads to key insights about the difficulty of replacing passwords. Not only does no known scheme come close to providing all desired benefits: none even retains the full set of benefits that legacy passwords already provide. In particular, there is a wide range from schemes offering minor security benefits beyond legacy passwords, to those offering significant security benefits in return for being more costly to deploy or more difficult to use. We conclude that many academic proposals have failed to gain traction because researchers rarely consider a sufficiently wide range of real-world constraints. Beyond our analysis of current schemes, our framework provides an evaluation methodology and benchmark for future web authentication proposals.

Original languageEnglish (US)
Title of host publicationProceedings - 2012 IEEE Symposium on Security and Privacy, S and P 2012
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages553-567
Number of pages15
ISBN (Print)9780769546810
DOIs
StatePublished - 2012
Event33rd IEEE Symposium on Security and Privacy, S and P 2012 - San Francisco, CA, United States
Duration: May 21 2012May 23 2012

Publication series

NameProceedings - IEEE Symposium on Security and Privacy
ISSN (Print)1081-6011

Other

Other33rd IEEE Symposium on Security and Privacy, S and P 2012
Country/TerritoryUnited States
CitySan Francisco, CA
Period5/21/125/23/12

Keywords

  • authentication
  • computer security
  • deployability
  • economics
  • human computer interaction
  • security and usability
  • software engineering

ASJC Scopus subject areas

  • Safety, Risk, Reliability and Quality
  • Software
  • Computer Networks and Communications

Fingerprint

Dive into the research topics of 'The quest to replace passwords: A framework for comparative evaluation of web authentication schemes'. Together they form a unique fingerprint.

Cite this